#!/bin/bash
# Desc: Kubernetes全维度健康检查脚本
# 执行要求：kubectl配置+Popeye安装

# 核心组件检查
check_core_components() {
  echo "===== 集群核心组件检查 [高风险] ====="
  kubectl get componentstatuses | awk '
    $2 != "Healthy" {printf "\033[31mCRITICAL\033[0m: %s 状态异常\n", $1; exit 1}
    {printf "\033[32mPASS\033[0m: %s 状态正常\n", $1}
  '
  
  # ETCD集群检测 (需提前配置etcdctl证书)
  etcdctl endpoint health 2>&1 | grep -v "health: true" && \
    echo -e "\033[31mCRITICAL\033[0m: ETCD节点异常" || \
    echo -e "\033[32mPASS\033[0m: ETCD集群健康"
}

# 节点健康检查
check_nodes() {
  echo "===== 节点健康巡检 ====="
  # 节点就绪状态
  kubectl get nodes --no-headers | awk '
    $2 != "Ready" {count++}
    END {
      if(count>=2) {printf "\033[31mCRITICAL\033[0m: %d个节点NotReady\n", count; exit 1}
      else if(count>0) {printf "\033[33mWARN\033[0m: %d个节点NotReady\n", count}
      else {print "\033[32mPASS\033[0m: 所有节点Ready"}
    }'

  # 资源使用率（依赖metrics-server）
  kubectl top nodes --no-headers | awk '
    {
      cpu=$3; mem=$5;
      sub(/%/, "", cpu); sub(/%/, "", mem);
      if (cpu>=95 || mem>=95) {printf "\033[31mCRITICAL\033[0m: 节点%s CPU=%d%% MEM=%d%%\n", $1, cpu, mem}
      else if (cpu>=85 || mem>=85) {printf "\033[33mWARN\033[0m: 节点%s CPU=%d%% MEM=%d%%\n", $1, cpu, mem}
    }'
}

# 工作负载检查
check_workloads() {
  echo "===== Pod状态检查 ====="
  # 异常Pod检测
  kubectl get pods --all-namespaces --field-selector=status.phase!=Running,status.phase!=Completed -o wide | grep -v "No resources" && \
    echo -e "\033[31mCRITICAL\033[0m: 存在异常Pod" || \
    echo -e "\033[32mPASS\033[0m: 无Pending/CrashLoopBackOff状态Pod"

  # 容器重启次数
  kubectl get pods --all-namespaces -o jsonpath='{range .items[*]}{.metadata.name}{"\t"}{.status.containerStatuses[].restartCount}{"\n"}{end}' | \
    awk '$2>5 {printf "\033[33mWARN\033[0m: Pod %s 重启%d次\n", $1, $2}'
}

# 存储系统检查
check_storage() {
  echo "===== 存储健康检查 ====="
  # PVC绑定状态
  kubectl get pvc --all-namespaces | awk '$2 != "Bound" {print $0; exit 1}' && \
    echo -e "\033[31mCRITICAL\033[0m: 存在未绑定PVC" || \
    echo -e "\033[32mPASS\033[0m: PVC均正常绑定"

  # PostgreSQL连接数示例 (需替换实际参数)
  PG_POD=$(kubectl get pod -n db -l app=postgres -o name | head -1)
  kubectl exec -n db $PG_POD -- psql -U postgres -c "SELECT count(*) FROM pg_stat_activity" | \
    awk 'NR==3 && $1>1024 {printf "\033[33mWARN\033[0m: 数据库连接数过高(%d)\n", $1}'
}

# 网络检查
check_network() {
  echo "===== 网络服务检查 ====="
  # DNS解析延迟测试
  kubectl run dns-test --image=busybox:1.28 --rm -it --restart=Never -- \
    sh -c "time nslookup kubernetes.default" 2>&1 | grep real | \
    awk -F'm' '{print $2*60+$3}' | awk '$1>5 {printf "\033[33mWARN\033[0m: DNS解析延迟%.2fs\n", $1}'
}

# 证书过期检查
check_certs() {
  echo "===== 证书有效期检查 [高风险] ====="
  kubectl config view --raw -o jsonpath='{..certificate-data}' | base64 -d | \
    openssl x509 -enddate -noout | awk -F'=' '
      $1=="notAfter" {
        cmd="date -d \""$2"\" +%s";
        cmd | getline exp;
        close(cmd);
        now=systime();
        diff=(exp-now)/86400;
        if(diff<90) printf "\033[31mCRITICAL\033[0m: 证书将在%.0f天后过期\n", diff
      }'
}

### 执行所有检查 ###
check_core_components
check_nodes
check_workloads
check_storage
check_network
check_certs

# 使用Popeye做深度扫描
echo "===== 运行Popeye集群扫描 ====="
popeye --out=html > /tmp/popeye-report.html && \
  echo "报告已保存: /tmp/popeye-report.html"
